RHBA-2013:0085 - Bug Fix Advisory

Topic

Updated nss_ldap packages that fix multiple bugs are now available for Red Hat
Enterprise Linux 5.

Description

The nss_ldap packages contain the nss_ldap and pam_ldap modules. The nss_ldap
module is a name service switch module which allows applications to retrieve
information about users and groups from a directory server. The pam_ldap module
allows a directory server to be used by PAM-aware applications to verify user
passwords.

This update fixes the following bugs:

• When parsing an ldap.conf file that contained a host and a port definition,

the nss_ldap "do_add_hosts()" function always created a URI starting with
"ldap://" regardless of SSL being enabled. Consequently, when the response
included an "ldaps://..." referral to the same server and port, the libldap
library considered this to be a different scheme ("ldaps" vs. the initial
"ldap") and opened new connections for each referral lookup instead of reusing
the existing persistent connection. The code has been improved and now when the
SSL option is enabled the initial URI will be in the format "ldaps://...". As a
result, nss_ldap now correctly uses the LDAPS scheme with SSL connections.
(BZ#761281)

• Due to a regression in the configuration parser, the "do_readline()" function

did not return the correct exit code when the last line of "/etc/ldap.secret"
did not contain a newline. Consequently, the nss_ldap module failed to bind to
the LDAP server. With this update the parser now returns the correct exit code
when parsing /etc/ldap.secret and nss_ldap works as expected in the scenario
described. (BZ#797410)

• The nss_ldap module used to leak memory when an entry that did not exist on

the remote server was requested. The memory leak has been fixed by freeing an
internal search structure even in cases where the search does not finish
successfully. (BZ#835555)

All users of nss_ldap are advised to upgrade to these updated packages, which
fix these bugs.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 761281 - ldaps scheme should be used when ssl is enabled
• BZ - 797410 - nss_ldap-253-49 fails to bind when ldap.secret does not contain a newline

CVEs

(none)

References

(none)